Vault auth with AWS Lambda

[Anthony Liatsis]

I'm a little confused as to the best way to deploy, init, and auth into vault.
I would like to read and write secrets from an AWS Lambda function.
Since these functions are transient, I want to deploy an Elastic Beanstalk application with an internal load balancer exclusively for Vault and communicate with the Vault HTTP API from my Lambda functions.

Is this even a reasonable setup for Vault?
If so, what is the best way for the remote Lambda functions to auth into the Vault HTTP API since the unseal keys are created and deployed on separate machines?

I'm obviously new to Vault so any experienced advice would be greatly appreciated.

[Michael Fischer]

We're using AWS KMS to encrypt our Vault token, and storing the encrypted value in DynamoDB.  Our Lambda function access both; the decrypted token is then used to access Vault.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/692b7d46-3f56-44f6-8963-95f63be32e73%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anthony Liatsis]

Thanks that is super helpful.

A few follow-up questions:

1. Can you elaborate a bit more on your infra and process with Vault?

For example, how are you deploying the Vault instances (e.g. EC2 + ASG, ECS, Beanstalk)?

What's your process for initing and unsealing the Vault?

2. Which "Vault token" are you referring to? What auth backend does this correspond with?

3. My first impression of storing the encrypted Vault token in DynamoDB (or even S3) was one of questionable security risk.

How do you mitigate security concerns of this approach? Do you have super strict IAM roles/policies?

Thanks in advance for you help! It's greatly appreciated!

[Michael Fischer]

On Fri, May 27, 2016 at 1:04 PM, Anthony Liatsis <anthony...@gmail.com> wrote:

1. Can you elaborate a bit more on your infra and process with Vault?

For example, how are you deploying the Vault instances (e.g. EC2 + ASG, ECS, Beanstalk)?

What's your process for initing and unsealing the Vault?

Vault is installed on EC2 using CloudFormation and post-bringup scripts via Chef recipes.   Consul ACL tokens are installed manually, and initial unsealing is performed by an administrator.  Unseal keys are then distributed across our team, and the administrator is expected to destroy the unseal keys.

 

2. Which "Vault token" are you referring to? What auth backend does this correspond with?

It's a token we generate with a long TTL that is associated with the Lambda script.  It's just using the token backend.

 

3. My first impression of storing the encrypted Vault token in DynamoDB (or even S3) was one of questionable security risk.

How do you mitigate security concerns of this approach? Do you have super strict IAM roles/policies?

Amazon KMS has pretty good ACL support for the master keys; we only allow our Lambda resource to access this particular key for decryption operations.  Same goes for the DynamoDB table: it's a dedicated table for the Lambda resource and we configure IAM such that only the Lambda resource can access it.

I feel it's pretty secure, but I'd appreciate feedback if any security experts can tear it down.

--Michael

[Anthony Liatsis]

Wow thank you so much for you explanations!

I greatly appreciate it!

One more follow-up question:

If an admin has to manually unseal the vault, how is that scalable if an instance dies or needs to be restarted?

Thanks again!

[Michael Fischer]

It's inherent in the security model of Vault that you manually unseal it.  This is true regardless of how you operate it.  

The best practice is to stand up two instances, make one a primary and one a standby, and unseal them both. That way, if you lose one, you have another to fall back to. This should protect you against typical involuntary termination situations. 

In the event that one is terminated, you stand up another, make it a backup instance, and unseal it. 

In my experience this doesn't happen particularly frequently, but of course you should monitor it.

--Michael

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/626e3d21-c142-45fd-917e-06e9216fe649%40googlegroups.com.

[Anthony Liatsis]

Thanks once again!

This is super helpful!

--Michael

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

[AlexM]

Hello Michael, how do you keep the auth token stored in Dynamo from expiring? Is Lambda invoked frequently enough that it takes care of its renewal, or is there an external out of band process that does the renewal or updating to a new token in Dynamo? Thank you in advance.

[Michael Fischer]

There's an out-of-band process that replaces the token before it expires.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e989ba4d-af7d-4f8c-a25c-9c50a2971088%40googlegroups.com.

[Dan Alvizu]

Sorry to revive a dead thread but this is the first result on google so wanted to add:

vault supports aws iam role authentication - assign permissions to your lambda's role and no need to provision credentials:

https://www.vaultproject.io/docs/auth/aws.html